11 Steps Attackers Took to Crack Target

Aorato, a specialist in Active Directory monitoring and protection, delivers a step-by-step report on how attackers used the stolen credentials of an HVAC vendor to steal the data of 70 million customers and 40 million credit cards and debit cards from the retailer.

Step 7: Propagate to Relevant Computers Using the New Admin Credentials

With their new credentials, the attackers could now proceed to go after their targets. But Aorato notes two obstacles were in their path: bypassing firewalls and other network-based security solutions that limit direct access to relevant targets, and running remote processes on various machines in the chain toward their relevant targets.

Aorato says the attackers used "Angry IP Scanner" to detect computers that were network accessible from the current computer and then tunneled through a series of servers to bypass the security measures using a port forwarding IT tool.

As for remotely executing processes on the targeted servers, Aorato says the attackers used their credentials in conjunction with the Microsoft PSExec utility (a telnet-replacement for executing processes on other systems) and the Windows internal Remote Desktop (RDP) client.

Aorato notes that both tools use Active Directory to authenticate and authorize the user, which means Active Directory is aware of this activity if anyone is looking for it.

Once the attackers had access to the targeted systems, they used the Microsoft Orchestrator management solution to gain persistent access, which would allow them to remotely execute arbitrary code on the compromised servers.

Step 8: Steal 70 Million PII. Do Not Find Credit Cards

At this point, Aorato says the attackers used SQL query tools to assess the value of database servers and a SQL bulk copy tool to retrieve database contents. And here, Be'ery says, is where PCI compliance seems to have presented a big obstacle to the attackers — ultimately what may have kept them to stealing "only" 40 million credit cards and debit cards rather than 70 million, a 40 percent reduction of the incident's repercussions.

Section 3.2 of the PCI-DSS standard states: "Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process."

In other words, while the attackers had already managed to access the PII of 70 million Target customers, it did not have access to credit cards. The attackers would have to regroup with a new plan.

"Since Target was PCI compliant, the databases did not store any credit card specific data, so they had to switch to plan B and steal the credit cards directly from the Point of Sales themselves," Be'ery says.

Step 9: Install Malware. Steal 40 Million Credit Cards

The PoS system was probably not an initial target of the attackers, Be'ery says. It was only when they were unable to access credit card data on the servers they had accessed that they focused on the PoS machines as a contingency. Using the intel garnered during step four and the remote execution capabilities garnered during step seven, the attackers installed the Kaptoxa (pronounced "Kar-toe-sha") on the PoS machines. The malware was used to scan the memory of infected machines and save any credit cards found to a local file.

This step, Be'ery notes, is the only one in which the attackers seem to have used custom-written malware rather than common IT tools.

"Having antivirus would not help you in this case," he says. "When the stakes are so high, with profit in the tens of millions of dollars, they don't care about the cost of creating tailor-made tools."

Step 10: Send Stolen Data via Network Share

Once the malware obtained the credit card data, it created a remote file share on a remote, FTP-enabled machine using a Windows command and the Domain Admin credentials. It would periodically copy its local file to the remote share.

Again, Be'ery notes, these activities would have been authorized against Activity Directory, making it aware of the activity.

Step 11: Send Stolen Data via FTP

Finally, once the data arrived on the FTP-enabled machine, a script was used to send the file to the attackers' controlled FTP accounting using the Windows internal FTP client.

"The initial penetration point is not the story, because eventually you have to assume you're going to get breached," Be'ery says. "You cannot assume otherwise. You have to be prepared and have an incident response plan for what to do when you are breached. The real problem arises when malware is able to enable an attacker to penetrate deeper into the network."

"If you have the right visibility, that activity really stands out," he adds.

How to Protect Your Organization

Be'ery recommends that organizations take the following steps to protect themselves: